Ian Williamson, head of digital and privacy law and Cavan Fabris, senior manager, cyber and data law at EY, bring you the latest on the NIS.

As Europe grappled with the EU General Data Protection Regulation (GDPR) in May 2018, the Networks and Information Systems (NIS) directive quietly came into UK law that same month.

Whereas GDPR deals with the security of personal data, the NIS directive requires digital service providers, covering online search engines, cloud computing services and online marketplaces to register by 1 November 2018 with the Information Commissioner’s Office (ICO) and implement a common level of network and information systems security or face hefty fines of up to £17m.

NIS guidelines have also been set out for operators of essential services which include energy, transport, water, healthcare and digital infrastructure.

Yet as digital service providers prepare to deal with their own looming deadline, here our key considerations:

  • If you are a digital service provider operating a cloud service, software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS), the NIS directive applies to you.
  • It applies to digital service providers with a head office in the UK or nominated representative in the UK, employing over 250 people with an annual turnover of over €10m.
  • It requires digital service providers to maintain adequate documentation demonstrating their cybersecurity efforts by taking into account international standards and best practice with specific reference to the National Cyber Security Centre’s 14 security principles, cyber assessment framework and the European Union Agency for Network and Information Security 2016 standards.
  • It has different compliance obligations to GDPR. The NIS directive is aimed at establishing a standard for network security, service availability and service continuity whilst GDPR is concerned with the risks associated with the collection, control and processing of personal data and the protection of associated privacy rights. Therefore being GDPR compliant does not mean you are also NIS compliant.
  • A single data breach could result in penalties under both GDPR if personal data was compromised as well as penalties under the NIS if the ICO’s investigation finds that a digital service provider failed to comply with its security, notification or inspection obligations.
  • Unlike GDPR, inspection costs by the ICO for compliance with the NIS will be borne by the digital service provider.
  • The ICO intends to assert its authority to gauge compliance with the NIS as reinforced in its draft Regulatory Action Policy and issue assessment/enforcement notices and fines when necessary as part of its mission to increase public trust in the digital economy.
  • The NIS has similar notification obligations to GDPR in case of a cybersecurity incident. A digital service provider must notify the ICO without undue delay and no later than 72 hours after the provider is aware of any incident having a substantial impact on the provision of its services. This obligation covers not just those incidents within the UK but any incident having a substantial impact within the EU. Notifications to the ICO must also include sufficient detail to permit the ICO to determine the significance of the incident and its cross-border impact.
  • The notification requirements under the NIS are stricter than those under GDPR and require more detail on the incident to the ICO within the 72 hour deadline. It’s likely that digital service providers will need to develop separate policies to meet their notification requirements under GDPR and the NIS.
  • Under the NIS, the ICO will also hold digital service providers responsible for their supply chain’s compliance. Digital service providers that outsource certain cybersecurity functions should review their contractual arrangements to ensure the necessary provisions exist to allow the provider to meet its NIS obligations including notification of incidents within their supply chain’s network having a substantial impact on the provider’s services. Liability provisions should also be revised and cyber insurance policies reviewed.
  • A multidisciplinary approach will be needed across all parts of the organisation from risk, compliance, data privacy, information security, supply chain, operations to the legal team to fully meet the NIS requirements.

With many companies still unaware of their NIS obligations, relevant digital service providers will need to register before 1 November 2018 with the ICO and implement a common level of network and information systems security or risk facing penalties of up to £17m for non-compliance.